Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« November 2005 | Main | January 2006 »

December 20, 2005

It's Not Paranoia After All! Permalink

Last month I related my experience with PayPal when my account failed to let me into it. Well, it happened again yesterday, and with the help of the support rep at PayPal, I found out a little more.

Last time I attributed the hangup to a glitch in their system. That doesn't appear to be the case. After more digging, we discovered that someone (or multiple someones) had been attempting to log into my account during the past month. As before, when PayPal sees ten bad password attempts, it blocks the account, even if you have the right password.

The knee-jerk reaction from the support rep was to have me change my password. But, I advised my friend from the other side of the planet, the fact that my account is blocked means that my password hasn't been cracked, and that it offers good protection for my PayPal account. Instead, I suggested that the best solution is to change the email address (which is the login ID) on the account. If I change the account to an unpublished (and unspammed/unphished) address, that should end this recurring problem. I've done so, and we'll see how it goes.

That leaves one unanswered question: Why was someone targeting my PayPal account. Is it something personal, or a routine thing that happens a lot? I would guess that most PayPal customers have only a single email address. If that address is a known, live address, and if that person has a PayPal account, then half of the login combination is known to every e-crook on the planet (requiring an email address as a login ID is a controversial practice, but that's the way PayPal does it). At that point, your only protection is a strong password (I provide guidelines in Spam Wars).

I would think that if there were widespread attempts to log into random email addresses at PayPal in hopes that an address owner is a PayPal customer, this blocked account business would be quite rampant, and PayPal would have a horrendous customer support problem on their hands. Given the response I got from the customer support rep this time, I don't believe PayPal is experiencing this in significant numbers.

Therefore, I'm beginning to think the attacks have been personal—or at least relatively so. It's quite possible that my phishing reports (which usually include a complete copy of the phishing email message) have gotten back to a phisher or one of the gangs. They took the calculated (and, unfortunately, temporarily successful) gamble that I had a PayPal account with the most commonly phished email address as the login ID. Fortunately, my password kept them out of the account.

And now they don't even have the login ID. Phhbbbbt!

Posted on December 20, 2005 at 09:45 AM

December 18, 2005

This Should Be Illegal Permalink

I recall that several years ago the magazine subscription sweepstakes outfits ran afoul of various U.S. and/or state laws because they went too far in intimating that the recipient of an offer had already won a huge cash prize, when, in fact, the recipient might have won a prize (one winner out of a gazillion).

This bit of history comes to mind because of a not-uncommon type of spam that came into view here today. The Subject: line is pretty clear:

Subject: Shop on us this holiday season with a $300 Mastercard

The message then starts out like this:

We have been trying to reach you in order to deliver your free $300 Mastercard Gift Card
Please visit our website and verify your zipcode:
We have given you this $300 Mastercard just in time for the holidays. Let us buy all your holiday gifts

I ask you: Does this not say that they have given me this card? Doesn't it sound like it's all mine, ready to put in my hot little pocket to shop the holidays away?

Oh, wait...here's the fine print:

Receipt of your item requires compliance with offer terms, including: age and residency requirements; registration with valid email address, shipping address and contact phone number; completion of user survey and sponsor promotions.

I defy you to find out exactly what you have to do to get your card without also ratting yourself out by supplying at least your email address. Not only does the message contain a Web beacon image (coded with a number that identifies your address on the sender's list), but every link to the Web site bears the same code. Something also tells me that you'll have to jump through a lot of hoops and give up a fair amount of personal information (and perhaps information on your friends and family) to eventually qualify for the card...if you get it at all.

And holiday shopping? Maybe for St. Patrick's Day.

I stealthily visited the site managing the promotion. It's another of the long line of affiliate e-marketing sites about which I rant regularly. There are at least two (and probably more) sites with different domain names that all lead to the same server and IP address.

All sites point to an identical (except for the "company" name) privacy policy. It's a killer (as in you'll die laughing):

...("we") believe(s) in 100% permission-based marketing. We collect the information you provide at our websites. Additionally, we purchase and manage opt-in email lists generated by affiliate sites and organizations. To subscribe, you must provide your email address and categories of interest. ... We will confirm your subscription via email. Then, we may send offers for goods and services relevant to the categories of interest you have chosen.

So I'm visiting their Web site, but the only action one can take from the front page is to unsubscribe. There is no form to fill out to subscribe and supply one's categories of interest. The spam message assures me that I can "update my preferences" if I click on one of their coded links (no, thank you). I can also assure you that I have not given this company (or any of the companies I could find related to it) my permission to send me email. It's quite possible that they use the Direct Marketing Association's definition of "opt-in," which means that anyone can fill out a form with anyone's email address, and the address gets added to the database—all the screening of chicken wire. That this outfit uses affiliates further increases the likelihood that addresses could come from anywhere. It wouldn't surprise me to find out that the transmission of the Web beacon code is interpreted as a form of "opting in" because you opened the message.

In the meantime, untold thousands of recipients of this message will click the links to find out how they have been lied to about having won a gift card. In return the spammer gets thousands of email addresses verified for resale and rental to other spamvertisers. More cash for the spammer; more future spam for the spammee. If you're keeping score at home for this game of Spammer vs. Consumer, it's 1-0, Spammer.

Posted on December 18, 2005 at 10:32 PM

December 13, 2005

More E-Marketing Lies Permalink

I'm going to bypass a highly charged rant on the "business opportunity" scams that litter not only spam-space, but Web-space, utility-pole-space, and everywhere else people sell information about how to start a business selling information about how to start a business selling information about....

One such spam arrived today that is, on the surface, fairly typical. Here's the text-only pitch (the HTML version is all images that I won't retrieve to avoid adding to the spammer's Web site hit count), all typos and grammos just as they arrived:

Dear Danny:

People, just like yourself, have made life-changing decisions who now enjoy exciting lives filled with the satisfaction that comes from personal success and achievement.

Iwould like to invite you to take a few moments to review the information available at [URL deleted].

If you have ever considered a career move that will allow you to join the top 5% earners in the country, than just take a few minutes to view the presentation. No strings attached. [URL deleted]

Thank you.

Nothing special. Seen it a gazillion times. No company name or other kind of brand identity to confuse me, and perhaps just enough mystery to induce me to visit the Web site (NOT!).

Because I view all spam suspects only in their source code form, I also saw that the spammer included what appears to be a little sales pitch as an HTML comment—code that doesn't display anything when viewed in an email program. Here is that gem (I've hidden the name):

[So-and-so] Media provides specialized services for its customers from it's double opt-in database of business opportunity seekers. Every person receiving mail from [So-and-so] Media has requested to receive this type of offer. You Danny Goodman may remove yourself from this database at anytime. All abuse complaints will be handled immediately. Thank you for your continued support and response.

Upon further research, I uncovered the likely sender of this message. The originating IP address of the message comes from a block that the Spam Prevention Early Warning System (SPEWS) has linked to a long-time spammer. The domain registration records of the domains in the message links are hidden from public view (through Domains By Proxy)—a huge red flag from a spammer trying to prevent more virulent antispammers from leaving burning bags of dog doodoo on his doorstep. Registration records for both the sender and spamvertiser domains were created on the same date (way back last week), leading me to believe spammer and spamvertiser are one in the same.

The disclaimer had been used in other spam back in October, but it can't be a real sales pitch, because neither Google nor Yahoo find a match for the media company being touted. I guess the disclaimer is included to serve as a smokescreen for anyone inquisitive enough to look at the message's source code. Or perhaps it tries to make the sender appear to be far more than what he really is.

I've seen plenty of "double opt-in" proclamations over the years, and every one of them has been false (Spam Wars explains all the terminology used by both sides of the war). Some of them have even been sent to addresses that could have only been harvested from my Web site. Therefore, while this disclaimer might look to be "official," it's a crock.

Posted on December 13, 2005 at 10:12 AM

December 05, 2005

A Twist on the "Web Beacon" Scam Permalink

Message Trick #9 in Spam Wars details how the long-time "Web beacon" scam works. In short, your email address (which is auto-inserted to the message's To: field or message envelope) is appended to a request to a (usually hidden) image. When your HTML-enabled email reader fetches the image from a Web server (even to show it in the Preview Pane), your email address is silently beamed to the spammer, verified as being live and active. Your freshly confirmed address becomes yet another asset that spammers will sell/trade, assuring you of further spam. It's your unwilling contribution to the spam economy.

Most modern email programs and some Web-based email sites offer an option to prevent the retrieval of images embedded in an email message. If a legitimate message includes one or more images, you can elect to download the images at your explicit request. I wholeheartedly endorse this setting if it's available to you (it's the default behavior of Gmail, for instance). If additional security choices are available to you in your email program—especially disabling ActiveX controls and JavaScript—I also strongly recommend that you opt to disable those things that simply don't belong in email messages (because Bad Guys can do terribly nasty things with them).

For the past couple of weeks, I've been closely monitoring what spammers are currently doing with JavaScript in messages. The reason I'm so interested in this (other than being a JavaScript junkie) is that one press report indicated that a majority of email usage is now through Web-based email. In other words, a ton of email users are reading and sending email through services such as hotmail, yahoo, Gmail, and Web-page-based services of other providers (e.g., Earthlink, Comcast, and so on).

Some of these Web-based email services are using JavaScript (in concert with some advanced capabilities built into modern browsers) to create pretty spiffy user interfaces. Instead of retrieving a complete (and complex) Web page at every click, only small bits of information come down the pipe, while scripting embedded in the Web page modifies portions of the screen. The result is a Web page that seems to work almost as quickly as a separate email program.

Unfortunately, this means that if you want to take advantage of the speedy interface, you must have JavaScript enabled for your email Web site. And that's where several instances of something I saw in spam message source code caught my attention: Instead of embedding the Web beacon stuff in an image request, the beacon data is added to a request to an external JavaScript file. It doesn't matter what (if anything) the server returns for these kinds of requests (image or script)—it's the request to the server that emits the beacon confirming your email address. Even if images are blocked, scripts are retrieved (because the email site, itself, does it).

You can block this kind of script access by disabling JavaScript (e.g., in Internet Explorer for Windows XP, go to the Tools/Internet Options menu, click on the Security tab, click on the Restricted sites icon and the Sites button. Then add the domain of your email site, such as "mail.google.com"), but then the snazzy interface is gone. You'll be back to the slow, one-pageful-per-click response you've grown to hate elsewhere (and in Gmail, you won't be able to edit your global settings).

Another head just popped up in the eternal antispam game of Whack-a-Mole.

Posted on December 05, 2005 at 04:57 PM

December 04, 2005

Phishing for D'oh! Permalink

I love it when crooks make stupid mistakes. Two different phishers slipped up in today's deliveries.

The first goof isn't all that serious, but it defeats the purpose of applying a common technique aimed at disguising the actual URL of a phishing message link. The technique uses JavaScript to replicate—but twist—normal behavior of Web browsers (and some HTML-enabled email programs), namely, displaying the URL of a hyperlink in the window's status bar. What JavaScript can do in Internet Explorer is display whatever the programmer wants in the status bar. Typically, a phony link is designed to show, say, the real PayPal Web site URL, but the code behind the hyperlink takes you to a bogus site, where a lookalike page will request your username/password.

In one phishing message I got today, the genius behind the scam put the bogus URL not only in the normally hidden code, but also in the JavaScript stuff. Thus, he went to all that trouble to display precisely the data he wanted to hide.

Goof number two comes in the form of a phishing message that was created on a computer whose login name is GeouTzu. How do I know that? Easy. This Einstein used DreamWeaver to concoct the phony email message hoping to make it look like a genuine PayPal missive. In the process, however, he built the page with some images that were stored on his computer. DreamWeaver inserted references to the images through links to his local hard disk ("file:///C|/Documents and Settings/GeouTzu/My Documents/spacer.gif" to be precise).

Whatcha gonna do when they come for you?

Posted on December 04, 2005 at 11:47 AM

December 03, 2005

Beware of Sneaky Music CDs Permalink

One of the prime ways that crackers gain access to your PC is by disguising their Trojan loading software within some kind of supposed custom "media player" or "media viewer" that is required to access free stuff that won't play on widely available and trusted players (e.g., Windows Media Player or QuickTime). The unsuspecting user wants to see the funny e-card, hear the latest sound sensation, or see cute smileys, and glibly okays the license agreement prior to installing the player. After that, they're hosed. They'll probably be bombarded with adware or have their computer taken over by a bot-net commander somewhere on the far side of the planet.

As we have learned, however, it's not just no-name guys doing this stuff. Sony BMG loaded software on numerous music CDs in the hope of stopping illegal copying. It's a very sordid affair, and you should pursue the details excellently itemized in parts One, Two, Three, and Four of an ongoing story.

Among the horrors you'll learn is that even if you decline to install the software that comes on the CDs, it can install itself anyway. Although the software is not necessarily itself a Trojan, the way it was designed makes it easy for other Bad Guys to hide their garbage on your PC.

Let me share with you my policy on music CDs. I rip every CD that I buy so that I have the music as part of my iTunes library. My iTunes library is larger than the largest iPod (I'm holding onto my 30GB iPod until an 80GB or 100GB model comes around—but even that won't be big enough), so I manually select music from the main Library to transfer to my iPod. I have a decent audio setup in my office, but the CD player hasn't had much use in quite awhile. Instead, I use an Airport Express to beam my iTunes output to my office stereo. I don't play any CDs on my computers directly, but I understand why many users might do that.

Even so, I can tell you this: If a new CD's labeling indicates any kind of personal computer requirements (e.g., operating system version, player type, etc.), I wouldn't place that CD anywhere near the disc tray/slot on my computers. This information is, to me, a giant red flag that the publisher may screw with my computer, with or without my knowledge and permission. Inserting the CD into the computer could be just as dangerous as opening an unexpected attachment in an unexpected email message.

I never had to look for this kind of information on the labeling before, but it is now a vital step to take before putting any CD (or DVD I would assume) in a personal computer optical disc drive.

I applaud amazon.com for advising customers of discs it has identified as bearing some kind of computer-centric copy protection. Right after the disc's title listing, they say in all caps: "[CONTENT/COPY-PROTECTED CD]". You can be sure that such a disc will never fall into my amazon shopping cart.

I'm fortunate because the types of CDs I buy are not mainstream pop titles. The labels I buy for the most part tend to be small, independent ones, many of which are based outside of the U.S. There is less likelihood for the pirating of the music I listen to than the CDs that Sony tried to lock down. But that doesn't mean I shouldn't be just as vigilant about what the labels could try in the future. My taste for the non-mainstream also presents a potential problem for the way I buy music. For reasons of availability, I tend to buy the majority of my CDs from a dealer in the United Kingdom. I won't necessarily see the warnings that amazon puts on its listings. I won't be able to know if the packaging lists PC requirements until the disc arrives at my door.

The question remains, then, would I try to find a way to get a pirated copy or mp3 tracks of a protected CD that I wanted? Maybe it's just me (sometimes I think it's only me), but my answer is "no." I like to own the music I listen to, whether I buy CDs or electronic versions through places such as the iTunes Music Store. I'm just not a free-download kinda guy unless the material is presented by its owner as such. Your mileage probably varies, and you think I am the squarest of squares. I'd rather send my silent protest message to both the label and the artist that I won't listen to their music if they're going to potentially screw with my computer.

Simple rules by which to live and to sleep soundly.

Posted on December 03, 2005 at 01:17 PM

December 01, 2005

Address Database: Not Good Enough Permalink

Lest anyone think for a moment that I am against all commercial email, let it be known that I do sign up for emailings from online companies with whom I do business or whose products and services interest me. I signed up for those mailings, therefore their messages are not spam to me (and, as long as I'm removed from their lists when I ask to be).

I bring this up because today I received a commercial email message whose innards and disclaimer troubled me. The message originated from one of the seemingly millions of "email marketing" outfits. Due to my personal experience with several of these firms over the years (some of which are detailed in Spam Wars), I admit to starting any investigation with a bad taste in my mouth. Yeah, it's a "guilty until proven innocent" attitude, but there are so many bad apples out there, that the entire category is suspect. I'm not saying there aren't any good guys out there, but I simply won't take any e-marketing Web site's claims at face value, no matter how polished and professional the site looks.

Today's missive was selling products from a company that sells stuff both online and through its mail order catalogs. I believe I have received catalogs in the past, and it's quite possible that within the last two years I actually bought something from the catalog. Did I give them my email address? I simply don't remember. But I do know that I have not purchased anything from them in the past year.

The source code of today's message indicated that had I viewed the message in its HTML format, the images would have been retrieved from the cataloger's site. All clickable links, however, would be directed to the emarketing site, each coded with what I believe is a product number (numbered sequentially through the piece) and a number identifying me (numbered the same throughout the piece). I suspect that after my identifying number was tracked, I would be automatically redirected to the cataloger's site, specifically to the page listing that product's details.

At least the emarketing company, in designing this piece, isn't trying to go out of its way to disguise its involvement. If your email program renders HTML (or you use Web-based email) and a link's destination appears down in the status bar, you'll see the emarketing company's URL, not the cataloger's. It's the emarketer's way of tracking activity to show its cataloger client how many click-throughs arrived because of the emailing campaign. That is no heinous plot.

At this point, however, I don't know if the emarketer is using its own list of email addresses, or if the cataloger handed over its list for the emarketer to use for this campaign. The emarketer swears up and down on its Web site that lists handled in the latter way are kept confidential. Maybe yes, maybe no.

Here comes the troubling part: The disclaimer. It says that the message was intended for me (it shows the address to which this message was sent) and then this gem: "You were added to the database November 14, 2005." It then provides a link I could click on to update my preferences or opt out. The link, however, is to the emarketing firm, not to the cataloger.

So, whose list is it? And how did I get added to it on that date?

If their computers can tell me when I was added to the database, they should also tell me why. If I had placed an order with the cataloger, why not tell me that (along with the date of the order)? If they created the database on that date from the cataloger's long-held list, why not tell me? If it was because they got my address from another source, why not tell me where?

When they don't give me enough information, I feel as though they're hiding something from me. The information should be easily obtained if it's legitimate. The date, by itself, means nothing to me. The explanation of how I got on their list is simply not good enough.

They don't help themselves, either, by stating in the privacy policy that email addresses are used only to send information that I have requested. When, where, how, and through whom did I request to be sent this email message? Tell me! Tell me!!

Despite the fancy-schmancy Web site of the marketing firm, they've given me enough reason to suspect it of being loose with their lists (in acquisition and/or usage). Spam Wars readers know that I'm big on the idea of the sanctity of one's email address. Until I see otherwise, this marketing firm in my eye is abusing my address, having obtained it (directly or indirectly) by harvesting or from an untrustworthy source (who may have harvested).

My impression of the heretofore okay catalog company has dropped a couple of notches, enough to where I won't buy from them again. I'm also blocking receipt of future messages originating from the marketing firm. It's a lose-lose situation.

Posted on December 01, 2005 at 01:23 PM